Refresh FQDN failed

Reply
L1 Bithead

Refresh FQDN failed

Hi guys,

 

I have a big problem.
My PA failed in refresh fqdn task and now the PA can't resolve Fqdn object.

My dns Setting are good and there is no drops between PA and DNS server.

 

Any advices?

 

Thank you!

Tags (1)
Highlighted
L4 Transporter

Re: Refresh FQDN failed

Hi Erez,

 

To start, you may want to check if the firewall is receving a response for the DNS queries by taking a pcap.

Check if the DNS service route is via MGT or data interface and take tcpdump (MGT) or DP capture (Monitor > packet capture)

 

Check the service route for DNS :

 

Snip20160822_36.png

 

 

 

Thanks,

Sandeep.

L1 Bithead

Re: Refresh FQDN failed

Thank you,

The DNS service route is via MGT.

I did Tcpdump from DNS server (tcpdump filter "src net dns server")

and then force refresh fqdn

this is the result:

8517 packets received by filter
0 packets dropped by kernel

 

This is ok no?

 

L4 Transporter

Re: Refresh FQDN failed

Hi Erez,

 

You need to open the pcap (SCP/TFTP to a computer to view using Wireshark) and check if the DNS req. and response are seen with the DNS response having the answer to FQDN(s) configured.

 

 

Sandeep.

L6 Presenter

Re: Refresh FQDN failed

Hi,

Could you post output of this command:

 

>tail lines 100 mp-log ms.log

 

Thx

Myky

L1 Bithead

Re: Refresh FQDN failed

Here it is:

 

2016-08-23 08:10:21.222 +0300 Error: pan_mgmt_get_sysd_string(pan_cfg_status_handler.c:367): failed to fetch cfg.platform.uuid
2016-08-23 08:10:21.222 +0300 Error: pan_mgmt_get_sysd_string(pan_cfg_status_handler.c:367): failed to fetch cfg.platform.cpuid
2016-08-23 08:10:22.232 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:10:24.323 +0300 No new WF-Private updates available for download
2016-08-23 08:10:35.242 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:10:48.252 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:11:01.262 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:11:14.272 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:11:27.282 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:11:40.292 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:11:49.893 +0300 Error: __retry_wf_report_fetch(pan_cfg_cms_handler.c:1826): Failed to fetch report from wildfire server 10.24.15.34, initiating retries
2016-08-23 08:11:50.574 +0300 client useridd reported op command was SUCCESSFUL
2016-08-23 08:11:53.302 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=32
2016-08-23 08:11:55.997 +0300 Error: __retry_wf_report_fetch(pan_cfg_cms_handler.c:1826): Failed to fetch report from wildfire server 10.24.15.34, initiating retries
2016-08-23 08:12:06.312 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:12:19.322 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:12:32.332 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:12:45.342 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:12:58.352 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:13:11.362 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=32
2016-08-23 08:13:24.372 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:13:37.382 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:13:46.173 +0300 Error: __retry_wf_report_fetch(pan_cfg_cms_handler.c:1826): Failed to fetch report from wildfire server 10.24.15.34, initiating retries
2016-08-23 08:13:50.392 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:13:52.277 +0300 Error: __retry_wf_report_fetch(pan_cfg_cms_handler.c:1826): Failed to fetch report from wildfire server 10.24.15.34, initiating retries
2016-08-23 08:13:58.379 +0300 Error: __retry_wf_report_fetch(pan_cfg_cms_handler.c:1826): Failed to fetch report from wildfire server 10.24.15.34, initiating retries
2016-08-23 08:14:03.402 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:14:04.480 +0300 Error: __retry_wf_report_fetch(pan_cfg_cms_handler.c:1826): Failed to fetch report from wildfire server 10.24.15.34, initiating retries
2016-08-23 08:14:10.583 +0300 Error: __retry_wf_report_fetch(pan_cfg_cms_handler.c:1826): Failed to fetch report from wildfire server 10.24.15.34, initiating retries
2016-08-23 08:14:16.411 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:14:16.686 +0300 Error: __retry_wf_report_fetch(pan_cfg_cms_handler.c:1826): Failed to fetch report from wildfire server 10.24.15.34, initiating retries
2016-08-23 08:14:22.791 +0300 Error: __retry_wf_report_fetch(pan_cfg_cms_handler.c:1826): Failed to fetch report from wildfire server 10.24.15.34, initiating retries
2016-08-23 08:14:28.894 +0300 Error: __retry_wf_report_fetch(pan_cfg_cms_handler.c:1826): Failed to fetch report from wildfire server 10.24.15.34, initiating retries
2016-08-23 08:14:29.421 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=32
2016-08-23 08:14:35.003 +0300 Error: __retry_wf_report_fetch(pan_cfg_cms_handler.c:1826): Failed to fetch report from wildfire server 10.24.15.34, initiating retries
2016-08-23 08:14:41.105 +0300 Error: __retry_wf_report_fetch(pan_cfg_cms_handler.c:1826): Failed to fetch report from wildfire server 10.24.15.34, initiating retries
2016-08-23 08:14:42.431 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:14:47.205 +0300 Error: __retry_wf_report_fetch(pan_cfg_cms_handler.c:1826): Failed to fetch report from wildfire server 10.24.15.34, initiating retries
2016-08-23 08:14:53.309 +0300 Error: __retry_wf_report_fetch(pan_cfg_cms_handler.c:1826): Failed to fetch report from wildfire server 10.24.15.34, initiating retries
2016-08-23 08:14:55.441 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:14:59.410 +0300 Error: __retry_wf_report_fetch(pan_cfg_cms_handler.c:1826): Failed to fetch report from wildfire server 10.24.15.34, initiating retries
2016-08-23 08:15:00.334 +0300 Checking to purge appstatdb logtype
2016-08-23 08:15:08.451 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:15:21.222 +0300 pan_dynupdsch_local_refresh(pan_cfg_dynupdsch.c:1793): scheduled-update: "_SystemWildfireUpdate_" refreshing of WildFire
2016-08-23 08:15:21.223 +0300 Error: pan_mgmt_get_sysd_string(pan_cfg_status_handler.c:367): failed to fetch cfg.platform.uuid
2016-08-23 08:15:21.223 +0300 Error: pan_mgmt_get_sysd_string(pan_cfg_status_handler.c:367): failed to fetch cfg.platform.cpuid
NO_MATCHES
2016-08-23 08:15:21.461 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
NO_MATCHES
--2016-08-23 08:15:21-- https://updates.paloaltonetworks.com/Updates/UpdateService2.asmx/CheckForWildfireUpdate
Resolving updates.paloaltonetworks.com... 199.167.52.141
Connecting to updates.paloaltonetworks.com|199.167.52.141|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1606 (1.6K) [text/xml]
Saving to: `/tmp/.wildfireinfo.xml.71763.tmp'

 

 

10.24.15.35 is our pamorama machine but we didn't using the machine.

L6 Presenter

Re: Refresh FQDN failed

Hi,

Just confirm you can ping your DNS servers from the Palo through the CLI. Take few FQDN and try to see if you are getting a resolution, not from the Palo device, just use different PC.

What PAN-OS are you running? After 6.1.x you can change refresh time to 600 seconds instead of 1800.

If the device fails to get FQDN info during a refresh period, the firewall will not retry immediately. The firewall will wait for the new refresh period time.

 

> configure

# set deviceconfig system fqdn-refresh-time <600-14399>

# commit

 

More info here:

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Change-the-FQDN-Refresh-Timers/ta...

 

For your logs errors check this article:

 

https://live.paloaltonetworks.com/t5/Management-Articles/Log-Collector-Setting-Does-Not-Clear-on-the...

 

Thx,

Myky

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!